Friday, July 3, 2009

Caveat User: Data Mining and Sneaky Services Providers

According to Zero Hedge, Goldman Sachs may have been using data from activities on its news/research web portal, and possibly also its trading portal for Goldman clients, to "front run" its clients. "Front running" occurs when a brokerage firm (like Goldman) executes a trade on a stock its own behalf before executing a trade on behalf of a client for the same stock - which might, for example, result in a nice profit on a purchase for the front-runner if the following client trade is large (or otherwise influential) enough to move the stock price up, or avoid a nasty loss if the following client trade drives it down.

Front-running has been around for a while, and under some circumstances might be illegal insider trading, though that can be a hard case to make. The neat thing about Goldman's approach - and per Zero Hedge apparently that of some other comparable institutions' - is that they set up their terms of use so that users in fact consent to Goldman's use of data about their use of the web services for purposes implicitly including front running.

Terms of use, of course, are a form of contract users accept, by website actions ranging from explicit entry of user information and account setup, to simply continuing to access the website with notification of a link to the terms of use (all forms of electronic signature, generally legally binding by statute and caselaw). If you have notice of and an opportunity to read the terms of use and choose not to do so - the usual response; when did you last read a website's terms of use? - you're still bound by the information they contain and the agreements they include. (I haven't tried to find out how the Goldman website's terms of use are set up.)

The relevant provision in the Goldman terms of use states:
Monitoring by GS
[Goldman Sachs]: Your use of the products and services on this Web site may be monitored by GS, and that the resultant information may be used by GS for its internal business purposes or in accordance with the rules of any applicable regulatory or self-regulatory organization.

If (1) front running is an "internal business purpose" of Goldman and (2) "in accordance with" implicitly includes the meaning "not prohibited by," website users have agreed that Goldman can use their website activity data to front-run them. If Goldman were to combine such data - which I assume could be pretty rich and detailed for a long-term user - with other information about the user, the user's employer, etc., etc., obtained from other sources - well, let's just say I think they would have a very valuable data set for their own trading decisions.

I assume some smart lawyers vetted all this for Goldman and concluded it wasn't prohibited by any applicable law - probably backed by some internal controls to avoid clear legal violations like actual insider trading by Goldman insiders who might have a fiduciary relationship to the client - but it seems to me unlikely that the average Goldman client using its website would anticipate this kind of use of its users' information, whether or not they read the terms of use. And I can readily imagine that front-running a client trade could harm the client's interests, if the broker trade ran prices up before a client purchase, or down before a client sale. But given the terms of use, they've accepted this use of their data.

I'm not sure this ends the legal inquiry; I haven't tried to figure out how the Gramm-Leach-Bliley privacy regulations or New York state privacy laws might be implicated. Again, I assume smart lawyers gave this an extensive - and expensive! - analysis, and there are internal controls intended to prevent clear violations. In any case where the user is acting on behalf of an institution these won't be implicated anyway, as they are intended to protect individual consumer privacy, not institutional interests. But I wouldn't be surprised to see NY AG Andrew Cuomo take an interest in what might have been going on under the hood, and perhaps the FTC as well. (Note: Rolling Stone reporter Matt Taibbi is on the case, so this may get some public traction.)

And one clear takeaway for me is that institutional clients of firms providing this kind of web service under this type of terms of use should seriously consider not using it. Unless the institution is using the service, and trading, on its own behalf, it probably owes some form of duty to its own clients (contractual, etc.) not to expose them to known, potentially harmful trading risks. Now that the risk of implicitly authorized front-running is known, seems to me it is something to avoid.

Caveat user. Read those terms of use!